Memorandum of Understanding 


The Information Commissioner 
and 
the Health and Social Care Information Centre 


Introduction 


1. This Memorandum of Understanding (MoU) establishes a 
framework for co-operation and information sharing between 
the Health and Social Care Information Centre (HSCIC) and 
the Information Commissioner (the Commissioner) in 
connection with the investigation of reported breaches of the 
Data Protection Act 1998 and specifically in relation to the 
Information Governance Incident Reporting Tool (created by 
the HSCIC). It sets out the role of each organisation and 
documents the practical working level arrangements between 
the Commissioner and the HSCIC. 


2. The Commissioner and the HSCIC will monitor the operation of 
this memorandum and will review it, initially after one year 
from the date of this document, and subsequently from time 
to time as necessary. 


35 Any changes to this memorandum identified between reviews 
may be agreed in writing between the parties. 


4. Any issues arising in relation to this memorandum will be 
notified to the point of contact for each organisation (referred 
to in 23 below). 


5s This memorandum is a statement of intent that does not give 
rise to legally binding obligations on the part of either the 
Commissioner or the HSCIC. 


Functions and powers of Commissioner 


6. The Commissioner is a corporation sole appointed by Her 
Majesty the Queen under the Data Protection Acts 1984 and 
1998 to act as the UK's independent regulator promoting 
public access to official information and protecting personal 
data. 


10. 


The Commissioner regulates the Data Protection Act 1998 
(DPA), the Freedom of Information Act 2000 (FOIA), the 
Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR), the Environmental Information 
Regulations 2004 (EIR) and the INSPIRE Regulations 2009. 


Section 51 of the DPA places a duty on the Commissioner to 
promote the following of good practice by data controllers and 
the observance of the requirements of the DPA by 
organisations. 


Where the Commissioner is satisfied that any of the data 
protection principles have been breached, a number of steps 
can be taken to seek to change the behaviour of the 
organisation including: 


e Serving information notices requiring organisations to 
provide the Information Commissioner's Office with 
specified information within a certain time period; 

e obtaining undertakings committing an organisation to a 
particular course of action in order to improve its 
compliance; 

e Serving enforcement notices where there has been a 
breach, requiring organisations to take (or refrain from 
taking) specified steps in order to ensure they comply with 
the law; 

e conducting consensual assessments to check organisations 
are complying; and 

e issuing monetary penalty notices, requiring organisations 
to pay up to £500,000 for serious breaches. 


The Commissioner may also prosecute those who commit 
criminal offences under the DPA. 


Functions and powers of the HSCIC 


11. 


The Health and Social Care Information Centre (HSCIC) is a 
data, information and technology resource for the health and 
care system and plays a fundamental role in driving better 
care, better services and better outcomes for patients. The 
HSCIC collects, analyses and publishes national data and 
statistical information and also delivers national IT systems 
and services to support the health and care system. 


12: 


The HSCIC's key statutory roles and functions are set out in 
Chapter 2 Part 9 of the Health and Social Care Act 2012 - 
sections 252 to 275 and include: 


e managing national data collections. 

e Secure storage and publication of the core national data 
resources. 

e data collection responsibilities for arms-length bodies and 
the Department of Health. 

e extending the capability of data linkage services. 

e transitioning from the existing information standards 
products and services into the new operating model. 

e fulfilling data quality assurance responsibilities. 

e consolidating our position as the national source of 
indicators. 

e fulfilling information governance responsibilities including 
publishing the Code of Practice for handling of Confidential 
Information. 

e implementing plans for the system wide management of 
administrative burden. 

e Publication of the data collected by HSCIC in a 
standardised, non-identifiable format for our commitments. 

e Manage and monitor the day-to-day delivery of key 
national systems and services. 


The Information Governance Incident Reporting Tool has been 
developed and implemented by the HSCIC as part of the 
Information Governance Toolkit. From June 2013 all 
organisations processing health and adult social care personal 
data in England are required to use the Information 
Governance Incident Reporting Tool to report serious data 
breaches (level 2! IG Serious Incidents Requiring 
Investigation) to NHS England, the Department of Health and 
the Commissioner. This requirement is set out in the 
Information Governance Toolkit. 


Cooperation between the Commissioner and the HSCIC 


13. 


Subject to any legal restrictions on the disclosure of 
information (whether imposed by statute or otherwise) and at 
their discretion, the HSCIC agree that they will: 


1 Level 2 IG SIRIs are sufficiently high profile cases, incidents which typically breach one of the 
principles of the Data Protection Act and/or the Common Law Duty of Confidentiality, and are therefore 
required to be reported to the Department of Health and Information Commissioner's Office. 
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14. 


T5 


a) Provide access to information relating to data protection 
breaches reported via the Information Governance 
Incident Reporting Tool (of Level 2 severity) to the 
Commissioner by providing read-only access to the 
data; 


b) Provide an automatic email alert to the Commissioner 
via the ‘casework@ico.gsi.gov.uk’ email address where a 
level 2 data breach is reported to the HSCIC by a Data 
Controller. 


Subject to any legal restrictions on the disclosure of 
information (whether imposed by statute or otherwise) and at 
his discretion, the Commissioner agrees that he will access 
information provided via the Information Governance Incident 
Reporting Tool to inform his functions under 8 and 9 above, 
subject to the restrictions set out at 16. 


Subject to any legal restrictions on the disclosure of 
information (whether imposed by statute or otherwise) and at 
their discretion, both parties will: 


a) Communicate regularly (at least quarterly) to discuss 
matters of mutual interest (including trends and the 
suitability of the tool); 


b) Consult one another at any early stage on any issues 
which might have significant implications for the other 
organisation; and 


C) Share (for comment) at an early stage draft documents 
(such as consultation papers, guidance and briefings) 
that may impact on the other's functions. 


Sharing information 


16. 


17. 


Information which the HSCIC receives in the course of 
performing its functions is specified for the purposes of 
exercising its responsibilities as referred to in 11 and 
specifically 12 above. 


Subject to any disclosure restrictions applicable to the HSCIC, 
they may disclose confidential information to the 
Commissioner to facilitate the carrying out of a public function 
of the HSCIC or a statutory function of the Commissioner, as 
set out in 13 and 15 above. 


18. 


T9; 


20. 


21. 


22; 


Where the HSCIC wishes to disclose to the Commissioner 
information necessary for the discharge by the Commissioner 
of his functions under the DPA (or under FOIA), section 58 
DPA provides that no enactment or rule of law prohibiting or 
restricting the disclosure of information shall preclude the 
HSCIC from furnishing such information to the Commissioner. 


In respect of information obtained by or furnished to the 
Commissioner for the purposes of his functions under the 
Information Acts, it is an offence under section 59 DPA for any 
current of former member of the Commissioner's staff or his 
agent to disclose such information without lawful authority. 


Section 59(2)(e) DPA provides that a disclosure by the 
Commissioner of information obtained by or furnished to him 
is made with lawful authority where, having regard to the 
rights and freedoms or legitimate interests of any person, the 
disclosure is necessary in the public interest. 


In addition, section 59(2)(d) DPA provides that a disclosure of 
information by the Commissioner is made with lawful authority 
where the disclosure is made for the purposes of any 
proceedings, whether criminal or civil. 


The Commissioner may, at his discretion and in accordance 
with sub-sections 59(2)(d) and/or (e) DPA, disclose 
confidential information to HSCIC, where this is necessary for 
performing the functions set out at 8 and/or 9 above. 


Points of contact 


23. 
HSCIC i "Information Commissioner 
HEAD OF EXTERNAL AIG OEUVERY | Intelligence Manager 
(MARE. GREENAELO) | (Adam Stevens) 
HEALTH & SOCIAL CARE ermano Wycliffe House 
b pilas "e Water Lane 
oi E Wilmslow 
E i SK9 5AF 


Information Commissioner 


(Signature) 


ANDY WILLIAMS Inoa LST D RB 
CHIEF EXECUTIVE mm et li 


